GitLab released a security update on April 14, 2021, to address CVE-2021-22205, a severe remote code execution vulnerability in the web interface. GitLab defined the vulnerability at the time as an authenticated vulnerability caused by passing user-supplied photos to the service’s embedded version of ExifTool. ExifTool’s mishandling of DjVu files allowed a remote attacker to run arbitrary commands as the git user, which was eventually assigned CVE-2021-22204.
CVE-2021-22205 was given a CVSSv3 score of 9.9 when it was first discovered. GitLab, on the other hand, revised the CVSSv3 grade to 10.0 on September 21, 2021. The vulnerability was changed from an authenticated to an unauthenticated issue, which resulted in a higher score. Despite the small difference in CVSS score, switching from authenticated to unauthenticated has significant consequences for defenders. In AttackerKB, Rapid7’s vulnerability research team provides a complete root cause investigation of CVE-2021-22205.
This vulnerability has been exploited in the wild since June or July of 2021, according to various newly released public exploits. As the unauthenticated nature of this vulnerability becomes more publicly acknowledged, we expect exploitation to rise.
CVE-2021-22205 impacts all versions of GitLab Enterprise Edition (EE) and GitLab Community Edition (CE) starting with 11.9.1, according to GitLab’s April 2021 alert. The following versions have been updated to address the vulnerability:
13.10.3 \s13.9.6 \s13.8.8
Versions discovered in the wild
Patches for GitLab had been available for more than six months at the time of writing (October 31, 2021). However, an examination of GitLab instances that are accessible via the internet indicates that a significant proportion are still susceptible.
We can see just under 60,000 GitLab installations that are accessible via the internet. GitLab’s web interface, unfortunately, lacks an easy-to-extract version string. However, we can divide internet-facing GitLab instals into three types by using the introduction of application utilities around a year ago and subsequently the movement of application utilities into loading suggestions header.
This is what we discovered out of the 60,000:
This vulnerability has been fully patched in 21% of installations.
This vulnerability is not patched in 50% of installations.
It’s possible that 29% of instals are vulnerable.
Recommendations for mitigation
In AttackerKB, Rapid7’s emergent threat response team provides a thorough technical study of CVE-2021-22205, as well as multiple techniques for GitLab customers to check if they are running vulnerable versions.
Users of GitLab should update to the most recent version as soon as feasible. Furthermore, GitLab should ideally not be an internet-facing service. Consider putting your GitLab behind a VPN if you need to access it from the internet.